I've also removed the job advert, and combined the threads that resulted into this single security thread.

Comments on the wiki article would be well received and I will ammend and act on any errors or ommissions.

Overall though, I stick to my initial guns by saying that I find it highly unlikely that a terrorist is about to behead you after a infiltration plot to gain access to the ARRSE email database. ie. Don't panic.

I fear the original job announcement thread is getting taken off track.

Perhaps further "applicant vetting " commentary could be lodged here.

Any security measures put in place should perhaps meet the oft cited maxims of being
"Proportional, Affordable and Reasonable".

Looking at past performance from some arrsers over the past 6 years, I think there are more pressing security needs in the PERSEC area than there are in how Arrse recruits it's full time staff.

A threat assessment would indeed cover all aspects of Arrse usage, not just the hiring of one employee.

The BS 7858: 2006 standard ( Security screening of individuals employed in a security environment. Code of practice ) would not be a bad start.
There are a number of potentially vulnerable young Cadets and recruits on Arrse. Whilst it has its limitations*, a CRB check may not be a bad idea as well.

The COs also know that they can turn to a ready-made panel of expertise who have been conducting reliability interviews and checks in NI, Bosnia, Sierra Leone, Iraq and Afghanistan for the past 40 years.

However The best form of personnel security is good man-management and pastoral care. The person could have DV with all the bells and whistles up to 49 PARA spec ops.

However, if they are not managed properly and made to feel part of the team, then no vetting in the world will do the job.

* Even Mrs Sonic has a current CRB cert with her name incorrecly spelt

As the post would provide access to the real email addresses of lots of servicemen and women whose units, rank and deployment is often clear from their posts, wouldn't some form of vetting be a very good idea, especially for those from a non-service background?

Click to expand...

Hasn't ever been a problem for the mods who also have access to that information. Some of the mods are civvies through and through and I dont think Arrse has ever had one instance of a 'security breech'.

I'm sure GCO can use his good judgement recruiting the right person without needing to call in Stella Rimington.

And surely a privacy clause in whatever contract is drawn up would cover concerns for untoward use of 'personal details'. For craps sake, MCM dont 'DV' most of the civvies and they have the world at thier fingertips!

Thanks for the sensible post on this, and the point about management is very true. A disgruntled employee could take an address list and sell it to a spam company.

I still don't see a valid threat because of email address compromise however. That doesn't mean we don't take the protection of them seriously - we do, and any request for one will be met with a refusal and 'court order only'. Even when we would love to give the requesting authority / legal representative the email address concerned.

I do not think however that my employing an IT graduate in Plymouth is a remotely serious threat to ARRSE users. Walking out of MOD main building every day, wearing your uniform home, becoming an executive director for a security company after retiring as CGS may do. Using ARRSE doesn't.

Fair enough GCO, I share your views about the counter-productivity of all these conspiracy theories and it is sufficient simply to know that you have taken this possibility - however remote - into consideration. Your judgement prevails.

I agree very much with whatâs been said here so far, while security is a concern for any web site that deals with personal information, there really is a line where a companyâs responsibility to its customer needs to be drawn. Personally, I think that a CRB check is a fairly reliable way of confirming that the potential employee is trustworthy. Anything further than this is very much overkill for a website Administrator job, especially when itâs likely to be filled by an ex-serviceman.

At the end of the day, this site isnât part of the MoDâs web presence and as such canât be held to the same standard as sites such as Armynet for security. Itâs expensive, labour intensive and itâs not required, restricted information isnât passed through the website and the emails present in the user database are unlikely to be SASTROOPER@MOD.CO.UK. Anything else is purely the userâs responsibility to his PERSEC, if youâre worried about being discovered to be an Army Cook or some such donât demonstrate an in-depth up-to-date knowledge of the army cooking course on the website. Itâs exactly the same as wandering around the city centre in your no.2s and then moaning about the police not providing a wheeled box to protect your identity.

Not much point going for CRB let alone S/C, S/C+ or DV (to use extreme examples) when commercial data centres are struggling to find staff of the right technical calibre in the first place.

With hindsight, I accept that the probability of any compromise occurring through access to IP addresses is pretty negligible. Most people don't have a static IP address anyway, as GCO points out.

Hopefully people are becoming more and more aware of the risks arising from posting email addresses, and are either using web based services or at least using them carefully (eg fred-dot-bloggsATaol.com).

The issue of disgruntled staff is a valid one IMO, and the point about good management is perfectly valid.

These factors are everywhere though in business and the public sector also, as with all things to do with persec and the internet i work on the simple fact of what ever i post may come back and haunt me...also if you use your primary email address for a web forum well...doh.

QED...if you you worry the net is compromising persec then don't use it.

The latest move by many ISPs to sell your stats is a bigger worry, if you worry about IP tracking and personal information. Personally though i really don't give a monkeys to be honest as to target me as an individual amongst the terrabytes of data means that its tinfoil time.

Information security is a big concern for everyone, I used to be heavily involved with it in a commercial/professional capacity.

The bottom line is there is only so much a site owner of a public forum like this can do and any security measures have to be appropriate for the level of risk anticipated. It is freely open to the net and as long as the site is run professionaly, which it is, I am happy to continue to post here.

So, look at the risks, decide how to treat those risks and check at regular intervals.

Maybe in the welcome email that is used to confirm email address or somewhere prominant on the site could be a paragraph on security, tips and advice, what is the users responsibility and what is the site owners responsibility etc.

Might be worth pointing out that, as a serving officer, I have as much of a vested interest in this as anyone else! It might be worth mentioning also that I declared my ARRSE activities(!) during my DV interview and it didn't seem to raise any eyebrows.

However, be under no doubts that whoever we employ will be scrutinised to ensure that all of our personal information is kept as closely guarded as it currently is. It may be worth pointing out that everyone needs to remain vigilant about who online has their personal details although I'd counsel against 'tin foil hat' paranoia. One of the best ways of doing this is to use an anonymous email address rather than give your personal one. Maybe something like 123456@yahoo.co.uk ......

Good points all, particularly that last one. I am quick to forget that internet security is a very tricky area and there is a lot of myth and duff advice out there, maybe from me!

I will get the facts on this added to the site registration and FAQ in the wiki. The location-through-IP issue etc. (It is my understanding that) we are not tied to this sort of info by the Information Commissioner's regs because the data we hold is not considered 'personal information', but it is an area of interest to a lot and I could do with clearing the mist a bit.

As the post would provide access to the real email addresses of lots of servicemen and women whose units, rank and deployment is often clear from their posts, wouldn't some form of vetting be a very good idea, especially for those from a non-service background?

Click to expand...

Hasn't ever been a problem for the mods who also have access to that information. Some of the mods are civvies through and through and I dont think Arrse has ever had one instance of a 'security breech'.

I'm sure GCO can use his good judgement recruiting the right person without needing to call in Stella Rimington.

And surely a privacy clause in whatever contract is drawn up would cover concerns for untoward use of 'personal details'. For craps sake, MCM dont 'DV' most of the civvies and they have the world at thier fingertips!

Click to expand...

You see that is news to me although I suspected this was the case. Perhaps this will prompt a re-assessment of the current joining procedure?

I have little concern for my PERSEC as far as being targeted by jihadists is concerned! That said, ARRSE is widely understood to be an anonymous forum and members ought to me made well aware of the degree to which such anonymity may be void as regards administrators and moderators.

It's all new for all of us so this needn't be considered to be a failure, more a time for revision and re-assessment.

As the post would provide access to the real email addresses of lots of servicemen and women whose units, rank and deployment is often clear from their posts, wouldn't some form of vetting be a very good idea, especially for those from a non-service background?

Click to expand...

Hasn't ever been a problem for the mods who also have access to that information. Some of the mods are civvies through and through and I donât think Arrse has ever had one instance of a 'security breech'.

I'm sure GCO can use his good judgement recruiting the right person without needing to call in Stella Rimington.

And surely a privacy clause in whatever contract is drawn up would cover concerns for untoward use of 'personal details'. For craps sake, MCM donât 'DV' most of the civvies and they have the world at their fingertips!

Click to expand...

You see that is news to me although I suspected this was the case. Perhaps this will prompt a re-assessment of the current joining procedure?

I have little concern for my PERSEC as far as being targeted by jihadists is concerned! That said, ARRSE is widely understood to be an anonymous forum and members ought to me made well aware of the degree to which such anonymity may be void as regards administrators and moderators.

It's all new for all of us so this needn't be considered to be a failure, more a time for revision and re-assessment.

Click to expand...

Itâs as anonymous as any other web forum or as anonymous as any member wants to make it. You cannot unfortunately educate those who either donât care or leave a paper trail a Down Syndrome away-day party could follow. One would like to think that those who are potentially at threat would have the basic common sense to comply with the same basic persec they would observe in the real world. The only 'info' a mod can glean from his or her privileges are IP and email address (from posts in their own forum). And correct me if I'm wrong, Admin only have the same info. A member is only required to submit an email address and that is all. As has been discussed, an IP will not give a position of a person away and an email address is limited unless that address has a trail across other mediums on the net.

I donât think it is the responsibility of Admin to make people aware of security other than what is permissible to post. It is the individuals responsibility to ensure that if they donât want to be compromised, they ensure they are squeaky. It is very easy to ping some people on here even to the extent of getting a house address and phone number. Thats not down to mod powers, thats down to weak persec and the power to use logic with google.

You have to ask 'what info could an insider get'? Very little...unless the user wishes to give it.

Employing someone in the scope Arrse Admin wish doesn't require MI type clearances or deep vetting. I would imagine some sensible wording in whatever contract is drawn up would be sufficient.